# PhishDestroy threat dossier — wvw-ledgerwallet.live ================================================================ Fetched: 2026-04-21 16:41:04 UTC Canonical: https://phishdestroy.io/domain/wvw-ledgerwallet.live/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Ledger ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 8/94 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, CyRadar, Fortinet, G-Data, Kaspersky, Sophos ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED !!! REGISTRAR INTEGRITY ALERT — NiceNIC !!! NiceNIC International: over 90% of its registered domains are associated with illegal content; documented systematic abuse-report non-response. Primary sources: https://phishdestroy.io/nicenic-real https://phishdestroy.io/nicenic-verdict Nameservers: ["lady.ns.cloudflare.com", "arch.ns.cloudflare.com"] Registered: 2026-04-18 Expires: 2027-04-18 Page title: Ledger Live Crypto Wallet App | Ledger HTTP response: 530 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-07-17 Status: INVALID chain Fingerprint: cd2bc0652134d86491e6a00c4a3f83e5ccf02b8b5f9d1072d91599faf9e8cc62 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-18 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-18 21:00:55 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-18 18:01:56 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-04-21 17:32:23 UTC Current status: ACTIVE / observable Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019da1bf-2143-72cc-a30e-a67d858fd198/ URLQuery: https://urlquery.net/report/5913d5c5-c35a-4835-99ff-f62ed30b437b Wayback Machine: https://web.archive.org/web/*/wvw-ledgerwallet.live crt.sh CT logs: https://crt.sh/?q=%25.wvw-ledgerwallet.live Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=wvw-ledgerwallet.live AlienVault OTX: https://otx.alienvault.com/indicator/domain/wvw-ledgerwallet.live URLhaus: https://urlhaus.abuse.ch/host/wvw-ledgerwallet.live/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-18 21:01:33 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies wvw-ledgerwallet.live as an active brand impersonation scam masquerading as Ledger’s legitimate wallet service. This fraudulent domain was registered on April 18, 2026, and leverages a Let’s Encrypt SSL certificate to appear authentic. The infrastructure resolves to IP address 188.114.97.3 and is hosted by NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar frequently associated with high-risk domains. Despite its recent creation, the site has already been detected by 2 of 95 VirusTotal security vendors, indicating limited but emerging recognition of its malicious intent. The primary threat posed by wvw-ledgerwallet.live is credential harvesting and cryptocurrency theft. Threat actors deployed this domain to exploit user trust in the Ledger brand, tricking victims into entering their wallet recovery phrases or seed phrases into a counterfeit interface. Once harvested, these credentials grant attackers direct access to victims’ digital assets, leading to irreversible financial losses. The domain’s short operational lifespan—just days old—demonstrates the opportunistic nature of this campaign, with threat actors rapidly deploying infrastructure to capitalize on unsuspecting users during peak market activity or post-event phishing windows. This elevated-risk domain should be treated as an immediate threat to Ledger users and cryptocurrency holders. Its low detection rate on VirusTotal (2/95) suggests many security tools have not yet flagged it, increasing the likelihood of successful user compromise. Additionally, the domain’s reliance on a legitimate-looking SSL certificate and mimicry of Ledger’s branding further lowers user suspicion. Affected users must immediately revoke any entered credentials, transfer remaining funds to a new wallet, and scan devices for malware. Organizations should block this domain at the network perimeter and update threat intelligence feeds to prevent further exposure. Users are advised to verify all wallet-related domains against official Ledger sources and enable multi-factor authentication as an additional safeguard against credential theft. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260418-38F383 Favicon MD5: e77d6e15aaa797a66863f59181f9b1ab TLS cert SHA-256: cd2bc0652134d86491e6a00c4a3f83e5ccf02b8b5f9d1072d91599faf9e8cc62 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/wvw-ledgerwallet.live/ JSON API: https://api.destroy.tools/v1/check?domain=wvw-ledgerwallet.live Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io